Well, that didn’t take long.
Just last week, Apple released a new iPhone with a built-in fingerprint scanner. The scanner, marketed as a security device that unlocks the iPhone with the touch of a finger as opposed to a password, was described by many in the media as an example of science fiction turned science fact.
It’s certainly a great technology, but like all great innovations throughout history, it had the potential for failure. It was a maxim of Julius Caesar’s that, as long as there are codes, there will be code breakers.
The fallout from Apple’s recent release of the fingerprint scanner has once again validated that statement by one of the fathers of Western Civilization.
How the hackers did it
German researchers have claimed they already hacked the fingerprint scanner. They say they did it with a manufactured fingerprint.
Associated with a group that goes by the not-too-disturbing name of Chaos Computer Club, posted a YouTube video that depicts various members of the group using a fabricated fingerprint to gain access to a locked iPhone device. The fabricated fingerprint is made from a photograph.
Here’s how the hackers say they defeated Apple. First, they photographed a fingerprint from a glass surface using a digital camera with 2400dpi resolution. Then they touched up the image a bit to remove any imperfections.
Next, they used a 1200dpi laser-printer with a thick toner setting to print the image of the fingerprint on a transparent sheet. Finally, after the printed fingerprint had cured, they smeared it with latex. When the latex sheet was lifted from the paper, someone breathed on it to provide a little bit of moisture. This latex was used to unlock the iPhone.
Fingerprint scanners have been hacked before
This means of hacking a fingerprint scanner is actually nothing new. Back in 2002, a Japanese research team used a gel fingerprint to crack fingerprint scanners. According to the CCC, “This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”
Frank Rieger is the spokesperson for CCC. (Yes, hacker groups have spokesperons). He was unequivocal in his condemnation of the use of fingerprint scanners as security devices.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” he said on the group’s website. “It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.
“The public should no longer be fooled by the biometrics industry with false security claims,” he continued. “Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
The purpose of Touch ID
The aim of the Touch ID technology, of course, was to make it easier for authorized users to unlock their mobile device. As any iPhone user knows, unlocking the device over and over again with a password can be quite a nuisance. Unlocking it with a touch of your finger would be much easier.
Apple claims the Touch ID technology actually scans the sub-epidermal layers of the finger to determine whether or not the fingerprint on the screen matches the authorized fingerprint that can unlock the device. Apparently, these German hackers have proven that latex is a valid substitute for epidermis.
All is not lost
However, iPhone users who aren’t locking their devices as a matter of national security can still make use of the Touch ID. This is because hackers will have to go to great lengths to get copies of fingerprints that can be used to crack the device.
Will those hackers be able to get a fingerprint from a coffee mug, or a keyboard, or even an electronic device that’s used to feed a habit?
It’s not that easy to grab a clear fingerprint. And even if one is obtained, hackers need all the technology mentioned previously to produce a fake fingerprint. And they need access to an unattended iPhone. How often do people leave their iPhones unattended?